Executive Summary
A critical path traversal vulnerability (CVE-2026-15265) has been identified in Tenable Agent, a widely deployed endpoint agent used by enterprises running the Tenable vulnerability management platform (Tenable.sc, Tenable.io, Tenable One). The flaw allows a privileged attacker to write arbitrary files to locations outside the intended plugin directory, with the potential to achieve remote code execution.
CVSS Score: 9.1 (Critical)
While the vulnerability requires elevated privileges to exploit, the potential to write arbitrary files to any path on the system — and the near-universal deployment of Tenable Agent in enterprise environments — makes this a critical remediation priority. Organizations should patch immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-15265 |
| CVSS Score | 9.1 (Critical) |
| Type | Path Traversal / Arbitrary File Write |
| Attack Vector | Local / Network (privileged context) |
| Privileges Required | Privileged (elevated) |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Affected Versions | Tenable Agent ≤ 11.1.3 and 11.2.0 |
| Patch Available | Yes — upgrade to patched release |
Affected Products
| Product | Affected Versions | Status |
|---|---|---|
| Tenable Agent | 11.2.0 | Patched in later release |
| Tenable Agent | 11.1.3 and earlier | Patched in later release |
| Tenable.io managed agents | Depends on deployed version | Apply update via console |
| Tenable.sc managed agents | Depends on deployed version | Apply update via console |
Technical Analysis
Root Cause
CVE-2026-15265 stems from insufficient path validation in the Tenable Agent's plugin management subsystem. When the agent processes plugin data, it does not adequately sanitize directory traversal sequences (e.g., ../, ..\) embedded in plugin paths or metadata. A privileged attacker — someone with the ability to interact with the agent's plugin interface or supply crafted plugin content — can exploit this to write files to arbitrary locations on the host filesystem.
The plugin directory is intended to be a controlled location where Tenable's vulnerability check content resides. Breaking out of this boundary enables an attacker to overwrite system binaries, configuration files, or drop payloads in startup/persistence locations.
Attack Flow
1. Attacker gains privileged access to a system running Tenable Agent
(e.g., compromised admin account, lateral movement, insider threat)
2. Attacker crafts a malicious plugin package or payload with path traversal sequences
in file paths (e.g., "../../../../etc/cron.d/backdoor" or "../../system32/malware.dll")
3. Attacker delivers the crafted payload to the Tenable Agent plugin processing path
4. Agent fails to validate/normalize the path — writes file to attacker-controlled location
5. File is written outside the plugin directory (arbitrary filesystem write)
6. Attacker uses the written file for persistence (cron job, startup item, DLL hijack)
7. Code execution achieved — persistence or privilege maintainedWhy This Is Dangerous
Tenable Agent runs with elevated privileges on every managed endpoint — typically as a service account with broad system access. The agents are deployed on:
- Domain controllers — highest-value targets in enterprise environments
- Database servers — financial, healthcare, and PII data at risk
- Critical infrastructure systems — OT/ICS environments using Tenable OT Security
- Cloud workloads — AWS EC2, Azure VMs, GCP instances with agent-based scanning
- Containerized environments — Kubernetes nodes and container hosts
Arbitrary file write on these systems with agent-level privileges provides multiple avenues for persistence and further compromise.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Write to cron, startup, or service directories → persistent shell |
| Privilege Escalation | Overwrite SUID binaries or sudo configuration on Linux/Unix |
| Persistence | Plant backdoors in autorun locations, evade detection |
| Data Integrity | Overwrite critical system or application files |
| Supply Chain Risk | Tenable Agent deployed org-wide — single exploit path affects all managed endpoints |
| Lateral Movement | Written credentials or SSH keys enable pivoting to additional systems |
Immediate Remediation
Step 1: Identify Affected Agent Versions
# Linux: Check Tenable Agent version
/opt/nessus_agent/sbin/nessuscli --version
# Windows: Check via PowerShell
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*Nessus Agent*" } | Select-Object Name, Version
# Or check registry on Windows
Get-ItemProperty "HKLM:\SOFTWARE\Tenable\Nessus Agent" | Select-Object VersionStep 2: Update Tenable Agent
# Linux — update via package manager (RPM-based)
sudo yum update NessusAgent
# Linux — update via package manager (Debian-based)
sudo apt-get update && sudo apt-get upgrade nessusagent
# Or download the updated installer from:
# https://www.tenable.com/downloads/nessus-agentsTenable.io / Tenable.sc users: Initiate a mass update of all agents from the management console:
Tenable.io → Settings → Agents → Select All → Update Agents
Tenable.sc → Scan → Agent Management → Update AllStep 3: Restrict Agent Privileges (Defense in Depth)
While patching, review and minimize the service account privileges used by the Tenable Agent:
# Linux: Verify Tenable Agent service user
ps aux | grep -i nessus
# The agent should run as a dedicated low-privilege user where possible
# Check agent service configuration
systemctl show nessusagent | grep UserStep 4: Monitor for Exploitation Indicators
# Linux: Watch for unusual file writes in agent plugin directory and parent paths
inotifywait -m -r /opt/nessus_agent/var/nessus/plugins/ -e create -e modify | \
grep '\.\.'
# Check for recently modified files outside expected plugin paths
find /opt/nessus_agent/ -newer /opt/nessus_agent/var/nessus/plugins/ \
-not -path "*/plugins/*" -type f 2>/dev/nullDetection Indicators
| Indicator | Description |
|---|---|
Files written outside /opt/nessus_agent/var/nessus/plugins/ | Path traversal exploitation |
| New cron entries matching agent process parent | Persistence via written cron job |
| Unexpected SUID binary modifications | Privilege escalation attempt |
Agent process writing to /etc/, /tmp/, or Windows system directories | Anomalous file activity |
| Tenable Agent process spawning unexpected child processes | Post-exploitation code execution |
Post-Remediation Checklist
- Patch all Tenable Agent instances (11.1.3 and below, 11.2.0) to the latest version
- Audit recently modified files on systems running the vulnerable agent version — look for anomalous writes outside the plugin directory
- Review cron jobs, startup items, and scheduled tasks on affected hosts for unauthorized entries
- Rotate credentials on systems that ran the vulnerable agent if exploitation is suspected
- Check agent logs for unusual plugin processing activity
- Verify integrity of critical system binaries on high-value endpoints (domain controllers, database servers)
- Update your asset inventory to confirm all agent-managed endpoints have been patched